CoursesDetection engineeringDetection-as-code & Sigma

Testing detections

True-positive/negative tests and Atomic Red Team.

Advanced30 min · lesson 3 of 15

A detection you have not tested is a hypothesis, not a control. Detection testing — proving a rule fires on the malicious case and stays quiet on the benign one — is what separates coverage you can rely on from a false sense of security.

True positives and true negatives

Every detection needs two kinds of test. A true-positive test feeds it telemetry from the actual technique and asserts the rule fires — otherwise you have a silent gap that looks like coverage. A true-negative test feeds it representative benign activity and asserts the rule stays quiet — otherwise you have a noise machine that will drown responders. A rule that never fires and one that always fires both pass a naive "it exists" check; only both tests together prove it works. Wire these into CI so a change that breaks either is a failed build, not a production surprise.

test a detection both ways in CI
# true-positive: malicious sample → the rule MUST fire
- input: cloudtrail-console-login-no-mfa.json
expect: match
# true-negative: normal MFA login → the rule MUST NOT fire
- input: cloudtrail-console-login-with-mfa.json
expect: no-match
# CI runs the rule against both; either wrong assertion fails the build.
# Regression: someone loosens the rule → the negative test catches the new noise.

Detonate the real technique

Sample-based tests prove logic; adversary emulation proves end-to-end coverage. Tools like Atomic Red Team execute small, ATT&CK-mapped techniques safely in a test environment, so you can confirm the telemetry is actually collected, the pipeline parses it, and the detection fires — the full path, not just the rule in isolation. Purple-team exercises (attackers and defenders working together) do this at scale, mapping which techniques you detect and which you miss. The findings feed straight back into the detection-as-code loop: a missed technique becomes a new, tested rule.

Two layers of detection testing
unit (logic)
true-positive sample
rule must fire
true-negative sample
rule must stay quiet
end-to-end (coverage)
Atomic Red Team
detonate the real technique
purple team
map detected vs missed, at scale
Unit tests prove the rule; emulation proves the whole path collects, parses, and detects. Misses become new tested detections.
An untested detection is coverage theater
A rule that has never been exercised against the real technique may silently fail — the telemetry might not be collected, the field might be misnamed, the pipeline might drop it. Detonate techniques (Atomic Red Team) and assert the detection fires end to end; "we have a rule for that" means nothing until you have seen it trigger.